If you’ve been putting off obtaining your Security+ certification and are not going to attempt the exam before December 31, 2010, you may want to wait until the new version of Security+ SY0-301 is released. CompTIA is planning the new release of Security+ to stay current with the changing IT security landscape. The new Security + exam will address current threats and exploits not covered in SY0-201.

This new version of the exam has different domain names. The weight of each domain has also changed. The new Security+ domains include:

1. Network Security

2. Compliance and Operational Security

3. Threats and Vulnerabilities

4. Application, Data, and Host Security

5. Access Control and Identity Management

6. Cryptography

The update to this certification is about more than just domain name changes. The third version of Security+ is focused on current cyber security foundations. These changes include a much broader review of many topics previously covered in less depth. Needed coverage of cloud computing has been added. It’s critical that more security practitioners are made aware of the security concerns of this technology as companies migrate to cloud based services.

Also modified in the new version of the exam is the coverage of application layer attacks. There is increased coverage on cross-site scripting, SQL injection, zero day attacks, and even session hijacking. These are nice additions and will offer test candidates the opportunity to learn about current exploits such as Firesheep and other sidejacking exploits. Even the social engineering topics have been expanded to include such terms as whaling. Spear phishing or whaling is a social engineering technique used to trick a user into installing malware or redirect them to a malicious website.

The new exam not only focuses on prevention and detection but also highlights the growing need for responsive security controls such as computer forensics. Exam objectives now address forensics issues such as:

Chain of custody

Order of volatility

Image capture

Network traffic and logs

Evidence hashes

I believe it’s a good thing that CompTIA is rolling out this update. IT security is not static. The state of IT security is constantly in flux. The best way to maintain the creditability of this certification and ensure that it provides the needed security skills to entry level IT professionals is to update and include current threats, exploits, and defenses. If you would like to read over the objectives and see what changes are being made, you can find them here: http://www.comptia.org/Libraries/Exam_Objectives/CompTIA_Security_SY0-301.sflb.ashx

I blogged about sidejacking last week. This is a common threat and one that cyber security experts have identified as a major security flaw since at least 2004. Fox News asked Michael Gregg to stop by their studio and demonstrate the tool for viewers to get a better idea of how anyone can use Firesheep to spy on other wireless users. Many sites maintain user access by means of a cookie. Cookies are used to validate users to Facebook, Twitter, and other sites through an unencrypted channel. Firesheep allows a hacker to steal a user’s cookie. With this cookie, a hacker or malicious individual will have full access to the victim’s/user’s profile. To see more of my Firesheep hacking interview with Fox News click here: Firesheep Hacking.

Over the years, there has been a steady progression of polished, easy to use tools that have lowered the bar for hackers. Firesheep is a good example of one such tool. Firesheep was designed to highlight how many web sites use weak authentication that is vulnerable to sniffing. While it is a common practice for web sites to secure the initial login, many leave cookies and additional communication in the clear. By simply sniffing and capturing these cookies, the user’s credentials can be easily sidejacked.

Firesheep operates as a Firefox add-on and goes a long way in demonstrating that too many web sites don’t sufficiently protect their users. This is not the first tool to offer this functionality. Commercial tools such as Silica, and free offerings like, Hamster, previously demonstrated these types of attacks are possible. What Firesheep does so well is make the attack far too easy for even a script kiddie to launch. It also highlights the continued failure by many to take network security seriously.

To install the tool, the user needs to download the firesheep-0.1-1.xpi file and then install it in Firefox. Windows users will also need to install Winpcap. Once these two steps are completed, all that is needed is to open the Firesheep sidebar in Firefox and set the tool to capture. The only real fix for the problem that Firesheep has once again exposed is encryption.

Until long term fixes are developed users must rely on tools such as HTTP-Everwhere, Force-TLS, and VPN’s. I hope the release of this tool serves as a wakeup call to the many organizations on the web that have failed to provide adequate protection for their users. Only time will tell if this proves to be true.

Are you ever uneasy about all the companies that want your social security number and other personal information? A recent study compiled by McAfee, featured on eSecurity Planet, listed the top ten most hacked industries.

While the Internet has brought great advances in the daily lives of many people it has also made the threat of cyber crime and identity theft much more likely. In the past, most personal information was kept in paper based files. Today, these files are stored electronically and more often than not these records are directly accessible via the Internet. The magnitude of the problem is staggering and the list of businesses hardest hit by identify theft covers all industries. The top ten most dangerous places to share you social security number included:

Universities and colleges

Banks and financial institutions

Hospitals

State government

Local government

Federal government

Medical businesses

Non-profit organizations

Technology companies

Medical insurance and medical clinics

The U.S. Federal Bureau of Investigation (FBI) estimates that in the course of one year as many as 10 million Americans are the victims of identity theft. Although sources differ on the level of threat, the trend is undisputable in that cyber crime is increasing at an exponential rate. Without stricter laws punishing companies that expose personal information such as social security numbers and credit card numbers these security breaches will continue.

Since not everyone studies in the same manner, what works for one person may not work for someone else. If you are looking to obtain your CISSP, CISA, CISM CEH, or really any IT security certification you will need to study. All certifications require work. It is my opinion that one must practice to develop good study skills that best suites the individual.

So how do you best study for a certification exam? One approach is to try studying at the same time and place each day, being motivated, and allowing time for breaks such as grabbing some coffee, sorting the mail, or simply finding a place to unwind for a few minutes does the body good. Your brain has a way of retaining what you’ve been studying plus it reinforces what you’ve already learned.

It’s also important to try to avoid distractions. It’s funny that when you need to study that your brain will remind you there are a million other things you could be doing. If you are deep into you study mode and find yourself “on a roll” then make an effort to stay focused for as long as you can. If you are tired or find yourself struggling, then remember that it is okay to stop and start over again the next day. It’s wise to discipline yourself into studying a little bit every day instead of engaging in “marathon” studying once or twice a week.

Every specialty has its own jargon and, most especially, in IT and security, you will find that it’s difficult to avoid the acronyms. There are just so many terms, MAC address, ATM, VLAN, clipping level, IDS, man in the middle attack, Trojan, etc. Sometimes you may just want to do a quick search of the Internet or even check out Wikipedia to get an overview of the term and its meaning.

While it’s important to develop effective study skills, it’s also important to make an effort to enjoy what you’re reading, stay motivated, feel relaxed, and know how to pace yourself because it’s all part of the learning process. After all, having success in the future is based on one’s ability to study, learn, and expand your knowledge and skills.

While CompTIA is widely known for their foundational coverage of networking and security, they are now developing a more advanced security certification, the CompTIA Advanced Security Practitioner (CASP). While this advanced security certification is still in the development phase, what is known is that it is targeted at individuals with ten years experience with a minimum of five years of actual hands on work.

The Advanced Security Practitioner certification will cover a body of knowledge that includes key security knowledge. To become certified, CASP exam candidates will need to pass one exam that covers the following domains:

Enterprise Security

Risk Management, Policy/Procedure, and Legal

Research and Analysis

Integration of Computing, Communications, and Business Disciplines

I believe that there is a real place for the CASP certification. I like the concept of vendor neutral certifications and there is a real gap between most of the entry-level security certifications that cover foundational knowledge and higher-level certifications such as CISSP, CISA, and CISM. While we certainly need high-level cyber security experts to lead, organize, and control, there’s also a real need for people that have hands on experience at securing critical infrastructure. How well this CompTIA certification covers all aspects of IT security won’t be known until the complete outline is released.

While many things are unknown about Stuxnet, what is known is that it marks a critical change in cyber war. So much so that Kaspersky labs describes it as “a prototype of a cyber-weapon that will lead to the creation of a new arms race.” While some may say this is far fetched, this would not be the first time that cyber warfare has been conducted. A few such instances include:

The malware was developed to attack Siemens AG’s industrial control systems. These supervisory control and data acquisition (SCADA) systems are used to monitor automated systems such as refinery, chemical, power generation, and food facilities. The worm has the ability to travel by USB thumb drive until finding its intended target and at that time, start manipulating the settings of the targeted systems.

Such attacks would result in damage, downtime, and denial of service (DoS) of the intended target. So far, most of the systems affected by Stuxnet are located in Iran.
Some news sources have stated that the worm’s obvious target was Iran’s nuclear reactors. Further analysis of the worm should help clarify its intended target.

MagicJack is a great device for those traveling abroad or anyone needing an occasional extra phone. The only real problem is when you happen to forget the MagicJack adapter or in situations when it’s just not possible to plug in a USB device. There are ways to overcome this problem and access your MagicJack service without the USB adapter. Before I show you how, I must note that this is a violation of the terms of service (TOS ) of the MagicJack service and is discussed here as a proof of concept.

MagicJack adapters are basic SIP devices and employ the same session control protocols to set-up and tear-down calls just like other VoIP soft phones. To use the MagicJack service without the physical USB devices, you will need to complete a couple of steps.

1. Grab the username and password via a memory dump. You can identify the username by its format, EXXXXXXXXXX01. This is E, your phone number, and 01. So your username will be E<YourMJPhoneNumber>01. Your password will be a 20 character value. I would recommend using PMdump to extract this information.

2. Save these values as you will need them later.

3. Identify the gateway being used by MagicJack for your specific phone prefix.
The MagicJack service uses the www.talk4free.com site. The format for the entry you will need to make for your softphone to work without the adapter will take the format of proxy01.<yourcity>.talk4free.com. You can capture this information with Wireshark.

4. Place this information into the softphone of your choice such as iCall, X-Lite, SJPhone, etc.

This used to be all that was required until MagicJack realized that some clever users discovered this hack. Security measures have now been added to make this a little more difficult. MagicJack modified the method in which they calculate the nonce for MD5 authentication. This additional information uses a value in the Call-ID header. While not complex, this adds an additional barrier for users attemting to use their MagicJack service without the required USB dongle. The easiest way to get around this restriction is to use MJMD5. It is available for free at Mediafire.com.

While MagicJack is a great device and is reasonably priced, it’s a pain to always have the USB device installed to maintain service. For whatever reason, MagicJack does not want its customers to use their service as a softphone. However, if you like to hack, there’s ways to bypass this restriction. Has anyone else tried this? How have you hacked your MagicJack?

It looks like Saudi Arabia has succeeded in forcing RIM to allow access to a portion of its data as it flows through the cell phone network. The proposed deal with Saudi Arabia should seem like a real victory to other countries such as the UAE. Many of the cell phone providers in the Middle East have been eager to gain access to this data. As an example, Etisalat, the main cell phone company in the UAE, attempted to hack into these smart phones last year but failed when the code dropped onto Blackberry devices failed to execute properly causing the phones to drain batteries quickly.

While Blackberry phones do offer some security, the level of security offered is dependent upon its configuration. Corporate users have additional security controls that are not available to consumers. While there are legitimate situations where traffic may need to be monitored, the real issue here is the continued erosion of privacy.

RIM has stated that they will work with all governments to ensure that their services meet any specific national security standards. For RIM to maintain market share in countries such as India, UAE, Saudi Arabia, etc.; they will be forced to place some servers in these nations and allow them to be used as a point to tap or access the email data stream. The only other option is to leave these markets. RIM is already under pressure from Apple and Android. Leaving these growing markets is not something that I believe that RIM will want to do.

Superior Solutions, Inc. COO, Michael Gregg, has been interviewed on this issue several times in that last few weeks. So, if you’re asking yourself when was the last time you saw Michael Gregg discuss smart phone security, check out the resource page for links to these articles.

It seems that this is going to be the year that smartphones start to get more security exposure. In December of 2009, President Obama’s cyber czar commented on the rising threat of smartphone attacks.

The iPhone has been targeted with questionable programs and malware such as libtiff, SMS fuzzing, Aurora Faint, Ikee, and Storm8. Blackberry is under fire by the UAE, India, and others for their inability to intercept RIM, Blackberry email. In June of 2010, SMobile Systems released a report, “Threat Analysis of the Android Market,” that stated that up to “one-fifth of Android applications have access to private data that could be used for malicious purpose.”

Smartphone vendors are going to have to work harder at securing their platforms and hardening them against attack. While stronger security controls are needed, there must also be an increased awareness that smartphones are mini computers with ever increasing power and access to personal information. If you would like to read more about this issue, take a moment to review the interview Michael Gregg did with the International Business Times on Blackberry hacking